Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A system comprising: at least one processor; memory storing computer-executable instructions that, when executed by the at least one processor, cause the system to implement a symmetric bridge component partially in a user mode of the system and partially in a kernel mode of the system, wherein the symmetric bridge component is configured to cause the system to: open a communications port by causing a first bridge component, of the symmetric bridge component, to activate a function to initialize the communications port in one of the kernel mode or the user mode; set the communications port to a connected state to create an opened and connected communications port in response to a second bridge component, of the symmetric bridge component, activating the function in the other of the kernel mode or the user mode; send a message containing data via the opened and connected communications port, the data originating from a first endpoint component executable in one of the kernel mode or the user mode; and receive the data at a second endpoint component executable in the other of the kernel mode or the user mode.
This invention relates to a system for facilitating communication between user mode and kernel mode components in a computing environment. The problem addressed is the difficulty of securely and efficiently exchanging data between processes operating in different privilege levels, such as user mode and kernel mode, which typically require complex inter-process communication (IPC) mechanisms. The system includes a symmetric bridge component that spans both user mode and kernel mode, enabling seamless data transfer. The bridge consists of two parts: a first bridge component that initializes a communications port in either kernel or user mode, and a second bridge component that activates the same function in the opposite mode to establish a connection. Once the port is opened and connected, data can be sent from a first endpoint in one mode (e.g., user mode) and received by a second endpoint in the other mode (e.g., kernel mode). This approach ensures that the communication channel is properly established before data transmission, reducing the risk of errors or security vulnerabilities. The system simplifies IPC by abstracting the differences between the two modes, allowing developers to focus on application logic rather than low-level communication details.
2. The system of claim 1 , wherein the communications port is set to a waiting state in response to activation of the function by the first bridge component and until the second bridge component activates the function.
A system for managing communications between bridge components in a networked environment addresses the problem of ensuring synchronized and controlled data transfer between interconnected systems. The system includes a communications port that facilitates data exchange between a first bridge component and a second bridge component. The communications port is dynamically configurable to manage data flow based on the operational state of the bridge components. Specifically, the communications port is set to a waiting state in response to activation of a function by the first bridge component. This waiting state persists until the second bridge component also activates the same function, ensuring that both components are in a synchronized state before data transfer occurs. This mechanism prevents data corruption or loss by enforcing synchronization between the bridge components before enabling communication. The system is particularly useful in environments where precise timing and coordination between interconnected systems are critical, such as industrial automation, distributed computing, or real-time data processing applications. The waiting state ensures that the second bridge component is ready to receive or process data before the first bridge component proceeds, thereby maintaining data integrity and system reliability.
3. The system of claim 1 , wherein: opening the communications port further comprises returning a port handle for the communications port; and sending the message is based at least in part on the port handle.
A system for managing communications ports in a computing environment addresses the challenge of securely and efficiently handling data transmission between applications or devices. The system includes a communications port that facilitates message exchange, with mechanisms to open, close, and manage the port's state. When opening the communications port, the system generates and returns a port handle, a unique identifier that represents the port and is used to reference it in subsequent operations. This handle ensures that messages are sent through the correct port, preventing misrouting or unauthorized access. The system verifies the validity of the port handle before processing any message, enhancing security. Additionally, the system may include features to monitor port activity, enforce access controls, and log communication events. The port handle mechanism simplifies port management by abstracting low-level details, allowing applications to interact with the port using a standardized interface. This approach improves reliability and reduces errors in message transmission. The system is particularly useful in environments where multiple applications or devices share a limited number of communication channels, ensuring efficient resource utilization and secure data exchange.
4. The system of claim 1 , wherein opening the communications port further comprises assigning a port identifier to the communications port that uniquely identifies the communications port by differentiating the communications port from other communications ports that have been opened on the system.
A system for managing communications ports in a computing environment addresses the challenge of efficiently tracking and differentiating multiple open communications ports. The system includes a processor and memory storing instructions that, when executed, enable the processor to open a communications port for data transmission. The system further assigns a unique port identifier to the communications port, ensuring it can be distinctly recognized from other open ports on the system. This identifier differentiates the port from others, preventing conflicts and enabling precise management. The system may also include a port management module that monitors and controls the lifecycle of the communications port, including opening, closing, and reassigning ports as needed. The unique identifier allows the system to track port status, usage, and performance, improving resource allocation and security. This approach enhances system reliability by reducing port-related errors and ensuring proper communication channel management. The system may be integrated into network devices, servers, or other computing platforms requiring robust port management.
5. The system of claim 1 , wherein the symmetric bridge component comprises at least one common application programming interface (API) for communication of the data between the kernel mode and the user mode in both directions.
This invention relates to a system for facilitating secure and efficient data communication between kernel mode and user mode in a computing environment. The system addresses the challenge of securely transferring data between these two operating system layers while maintaining performance and compatibility with existing applications. The system includes a symmetric bridge component that enables bidirectional data communication between kernel mode and user mode. This bridge component features at least one common application programming interface (API) that standardizes the communication process. The API allows data to be transmitted from the kernel mode to the user mode and vice versa, ensuring seamless interaction between the two layers. The symmetric design ensures that the communication mechanism is consistent in both directions, reducing complexity and improving reliability. The system may also include a kernel mode component that operates within the kernel space of the operating system, handling low-level operations and system-level tasks. Additionally, a user mode component operates in the user space, interfacing with applications and higher-level software. The symmetric bridge component acts as an intermediary, ensuring that data exchanged between these components is properly formatted, validated, and securely transmitted. This approach enhances security by isolating the kernel mode from direct exposure to user mode applications, while still enabling efficient data exchange. The use of a common API simplifies integration with existing software and reduces the risk of errors during data transfer. The system is particularly useful in environments where secure and reliable communication between kernel and user modes is critical, such as in operating systems, virt
6. The system of claim 1 , wherein: the first endpoint component is attached to at least one of: (i) a kernel-level bus of a kernel-level security agent executing in the kernel mode, or (ii) a user-level bus of a user-level security agent executing in the user mode; and the second endpoint component is attached to the other of the kernel-level bus or the user-level bus.
This invention relates to a security system for monitoring and controlling data flows between kernel-mode and user-mode processes in a computing environment. The system addresses the challenge of securely managing interactions between high-privilege kernel-level operations and lower-privilege user-level applications, which is critical for preventing unauthorized data access or system compromises. The system includes two endpoint components that act as intermediaries for data exchanges. The first endpoint component is connected to either a kernel-level bus of a kernel-level security agent or a user-level bus of a user-level security agent, depending on the system configuration. The second endpoint component is connected to the opposite bus (kernel-level if the first is user-level, and vice versa). This dual-bus attachment ensures bidirectional monitoring and control of data flows between the kernel and user modes, allowing the security agents to enforce policies, detect anomalies, or block malicious activities. The kernel-level security agent operates in kernel mode, providing deep system-level oversight, while the user-level security agent operates in user mode, handling application-level security tasks. By attaching the endpoint components to both buses, the system creates a unified security framework that spans both privilege levels, reducing the risk of data leaks or unauthorized modifications. The configuration ensures that all inter-mode communications are intercepted and validated, enhancing overall system security.
7. A method comprising: opening a communications port by causing a first bridge component to activate a function to initialize the communications port in one of a kernel mode of a computing device or a user mode of the computing device; setting the communications port to a connected state in response to a second bridge component activating the function in the other of the kernel mode or the user mode; in response to opening the communications port and setting the communications port to the connected state, sending a message containing data via the communications port, the data originating from a first endpoint component executable in one of the kernel mode or the user mode; and receiving the data at a second endpoint component executable in the other of the kernel mode or the user mode.
This invention relates to inter-process communication (IPC) systems that facilitate data exchange between kernel mode and user mode components in a computing device. The problem addressed is the complexity and inefficiency of traditional IPC mechanisms, which often require multiple layers of translation or separate communication channels to bridge the kernel-user boundary. The method involves a bridge system with two components: one operating in kernel mode and the other in user mode. The first bridge component initializes a communications port in either kernel or user mode, while the second bridge component activates the port in the opposite mode, establishing a connected state. Once the port is open and connected, a message containing data is sent from a first endpoint component (running in either kernel or user mode) through the communications port. The data is then received by a second endpoint component executing in the opposite mode. This approach enables direct, bidirectional communication between kernel and user mode processes without requiring additional translation layers or complex protocol conversions. The system ensures efficient data transfer while maintaining system stability and security.
8. The method of claim 7 , further comprising, prior to sending the message via the communications port: serializing the data as serialized data; and creating the message based at least in part on the serialized data.
This invention relates to data communication systems, specifically methods for preparing and transmitting messages containing serialized data. The problem addressed is the efficient and reliable transmission of structured data across communication networks, ensuring data integrity and compatibility between different systems. The method involves serializing data into a standardized format, such as JSON, XML, or binary, to facilitate transmission. The serialized data is then used to construct a message, which may include additional metadata or headers to ensure proper routing and interpretation by the receiving system. This message is subsequently sent via a communication port, such as a network interface or serial port, to a target device or system. The serialization step ensures that complex data structures, such as objects or arrays, are converted into a linear format that can be easily transmitted and reconstructed at the destination. The message creation process may involve encapsulating the serialized data within a protocol-specific wrapper, adding error-checking mechanisms, or including timestamps for synchronization. The communication port may be configured to handle various transmission protocols, such as TCP/IP, UDP, or proprietary protocols, depending on the application requirements. This approach improves data transmission reliability by standardizing the data format and ensuring compatibility across different systems, reducing errors and improving interoperability. The method is particularly useful in distributed systems, IoT devices, and cloud computing environments where data must be exchanged efficiently and accurately.
9. The method of claim 8 , wherein: the function is a first function; the serialized data comprises a message buffer having a starting address and a length; and sending the message comprises activating a second function that specifies the starting address and the length of the message buffer.
This invention relates to data serialization and communication in computing systems, specifically addressing the efficient transmission of serialized data between processes or systems. The problem solved involves managing serialized data, such as message buffers, in a way that ensures accurate and efficient transfer while minimizing overhead. The invention provides a method for sending serialized data by invoking a first function that processes the data, followed by a second function that specifies the buffer's starting address and length. This two-step approach allows for precise control over the data being transmitted, ensuring that only the relevant portion of the buffer is sent. The method is particularly useful in systems where data integrity and transmission efficiency are critical, such as in distributed computing or inter-process communication. By separating the serialization logic from the transmission parameters, the invention improves modularity and reduces the risk of errors in data handling. The use of address and length parameters ensures that the correct data segment is transmitted, enhancing reliability in data exchange. This approach is applicable in various computing environments, including real-time systems, embedded systems, and networked applications.
10. The method of claim 9 , wherein: the second function comprises a synchronous function; and the message buffer remains valid and unchanged at least until a call to the synchronous function is returned with at least one of an indication that the message was successfully sent, an indication that a timeout occurred, or an indication that the message failed to send.
This invention relates to message transmission systems, specifically improving reliability in asynchronous communication where message buffers may be prematurely invalidated. The problem addressed is ensuring message integrity and proper handling of transmission outcomes in systems where buffers are reused or overwritten before confirmation of successful delivery. The solution involves a synchronous function that enforces buffer validity until transmission confirmation is received, preventing data corruption or loss. The synchronous function provides explicit feedback on transmission status, including success, timeout, or failure, allowing the system to take appropriate action. The message buffer remains unchanged and accessible throughout the transmission process, ensuring the original data is preserved until the operation completes. This approach is particularly useful in high-throughput or real-time systems where message integrity and reliable status reporting are critical. The invention ensures that buffers are not prematurely reused or modified, which could otherwise lead to data corruption or transmission errors. The synchronous function acts as a gatekeeper, guaranteeing that the buffer remains valid until the transmission outcome is determined, thereby enhancing system reliability and robustness.
11. The method of claim 9 , wherein: the second function comprises an asynchronous function; and the message buffer remains valid and unchanged at least until a callback function is activated in response to at least one of the message being successfully sent, a timeout occurring, or the message failing to send.
This invention relates to asynchronous message handling in computing systems, specifically addressing the challenge of ensuring message buffer integrity during transmission. The method involves a system where a first function initiates the sending of a message, and a second function, operating asynchronously, manages the transmission process. The message buffer retains its validity and remains unchanged until a callback function is triggered by one of three events: successful message transmission, a timeout, or a transmission failure. This ensures that the original message data is preserved until the transmission outcome is confirmed, preventing data corruption or loss during the process. The asynchronous nature of the second function allows the system to handle other tasks while waiting for the transmission to complete, improving efficiency. The callback mechanism provides a reliable way to verify the transmission status and take appropriate action based on the result. This approach is particularly useful in systems where message reliability and system responsiveness are critical, such as real-time communication or distributed computing environments.
12. The method of claim 11 , wherein sending the message comprises: queuing the message; and sending the message in a different thread context than a thread context in which the message was queued.
This invention relates to message processing systems, specifically improving efficiency and reliability in message transmission. The problem addressed is the potential for delays or failures in message delivery when messages are processed in the same thread context where they are generated, which can lead to bottlenecks or resource contention. The method involves queuing a message and then sending it in a different thread context than the one in which it was queued. This separation ensures that message processing does not block the thread responsible for generating or queuing the message, improving system responsiveness and throughput. The queuing step involves storing the message in a buffer or queue for later retrieval, while the sending step involves transmitting the message to its destination using a separate thread. This approach allows the system to handle high message volumes without degrading performance, as the sending thread can operate independently of the queuing thread. The method is particularly useful in distributed systems, real-time applications, and environments where low latency and high reliability are critical. By decoupling message queuing and sending, the system can better manage resources and maintain consistent performance under varying loads.
13. The method of claim 8 , further comprising, prior to receiving the data at the second endpoint component: deserializing the serialized data to obtain the data; and providing the data to at least one of: (i) a kernel-level component instantiated in the kernel mode, or (ii) a user-level component instantiated in the user mode.
This invention relates to data processing in computing systems, specifically methods for handling serialized data between different system components. The problem addressed is the efficient and secure transfer of data between kernel-mode and user-mode components, particularly when the data is serialized for transmission. The invention provides a method for deserializing serialized data at a second endpoint component before it is processed by either kernel-level or user-level components. The deserialization step ensures the data is in a usable format before being provided to the appropriate system component, whether operating in kernel mode or user mode. This approach enhances system security and performance by ensuring data integrity and proper handling at different privilege levels. The method is particularly useful in systems where data must be transmitted between components with different execution contexts, such as in operating systems or distributed computing environments. By explicitly deserializing the data before processing, the invention avoids potential errors or security vulnerabilities that could arise from improper data handling. The solution is applicable in scenarios where data must be passed between high-privilege kernel components and lower-privilege user components, ensuring seamless and secure interoperability.
14. The method of claim 7 , wherein: the first endpoint component is attached to at least one of: (i) a kernel-level bus of a kernel-level security agent executing in the kernel mode, or (ii) a user-level bus of a user-level security agent executing in the user mode; and the second endpoint component is attached to the other of the kernel-level bus or the user-level bus.
This invention relates to a security system architecture that enhances communication between kernel-level and user-level security agents. The system addresses the challenge of securely exchanging data between different execution levels in an operating system, where kernel-level processes operate with high privileges and user-level processes operate with restricted access. The invention provides a method for bridging these levels by using two endpoint components, each attached to a different bus. The first endpoint component connects to either a kernel-level bus of a kernel-level security agent running in kernel mode or a user-level bus of a user-level security agent running in user mode. The second endpoint component connects to the opposite bus (kernel-level if the first is user-level, and vice versa). This dual-bus attachment ensures secure and efficient data transfer between the kernel and user spaces, enabling coordinated security operations across both execution levels. The system improves security by isolating sensitive operations in the kernel while allowing user-level processes to participate in security monitoring and enforcement. The method ensures compatibility with existing security agents and minimizes performance overhead by leveraging dedicated buses for inter-level communication.
15. The method of claim 7 , wherein the first bridge component and the second bridge component are each part of a symmetric bridge component that is implemented partially in the user mode and partially in the kernel mode and that comprises at least one common application programming interface (API) for communication of the data between the kernel mode and the user mode in both directions.
This invention relates to a symmetric bridge component for facilitating data communication between user mode and kernel mode in a computing system. The problem addressed is the inefficiency and complexity of traditional methods for transferring data between these two operating system layers, which often require separate mechanisms for each direction of communication. The symmetric bridge component is implemented partially in user mode and partially in kernel mode, ensuring seamless bidirectional data exchange. It includes at least one common application programming interface (API) that enables communication in both directions, eliminating the need for distinct interfaces for each mode. This design reduces overhead, simplifies development, and improves performance by standardizing the interaction between user and kernel space. The bridge component consists of two parts: a first bridge component in user mode and a second bridge component in kernel mode. These components work together to manage data transfer, ensuring compatibility and security while maintaining efficient communication. The symmetric nature of the bridge ensures that the same API can be used for both sending and receiving data, streamlining the development process and reducing potential errors. By integrating the bridge component into the system, applications can interact with kernel-level functions more efficiently, improving overall system performance and reliability. The invention is particularly useful in scenarios requiring frequent or complex data exchanges between user and kernel modes, such as device drivers, system utilities, or security applications.
16. The method of claim 7 , further comprising setting the communications port to a waiting state in response to activation of the function by the first bridge component and until the second bridge component activates the function.
A system and method for managing communications between bridge components in a networked environment. The technology addresses the challenge of ensuring reliable and synchronized communication between interconnected bridge components, particularly in scenarios where one bridge component must wait for another to activate a specific function before proceeding. The method involves monitoring the activation status of a function within a first bridge component and, upon activation, transitioning the communications port to a waiting state. The port remains in this state until the second bridge component also activates the same function, ensuring that both components are synchronized before communication resumes. This approach prevents data loss or miscommunication by enforcing a coordinated activation sequence between the bridge components. The method may also include additional steps such as detecting the activation of the function, verifying the readiness of the second bridge component, and dynamically adjusting the waiting state based on network conditions or component status. The solution is particularly useful in industrial automation, distributed computing, or any system requiring precise synchronization between interconnected devices.
17. One or more non-transitory computer-readable media storing computer-executable instructions configured to implement a symmetric bridge component for sending data between a kernel mode of a computing device and a user mode of the computing device, the symmetric bridge component performing operations comprising: opening a communications port by causing a first bridge component, of the symmetric bridge component, to activate a function to initialize the communications port in one of the kernel mode or the user mode; setting the communications port to a connected state in response to a second bridge component, of the symmetric bridge component, activating the function in the other of the kernel mode or the user mode; and in response to opening the communications port and setting the communications port to the connected state, sending a message containing the data via the communications port, the data originating from a first endpoint component executable in one of the kernel mode or the user mode, and the data received at a second endpoint component executable in the other of the kernel mode or the user mode.
The invention relates to a system for facilitating secure and efficient data exchange between kernel mode and user mode in a computing device. The problem addressed is the complexity and potential security risks associated with traditional inter-process communication (IPC) mechanisms that bridge these two operating system layers. The solution involves a symmetric bridge component that enables bidirectional data transfer while maintaining isolation between the modes. The symmetric bridge component consists of two bridge components, one operating in kernel mode and the other in user mode. The process begins by opening a communications port, where the first bridge component initializes the port in either kernel or user mode. The second bridge component then activates the same function in the opposite mode, setting the port to a connected state. Once established, the bridge enables message passing between a first endpoint component (running in one mode) and a second endpoint component (running in the other mode). This approach ensures that data originating in one mode is securely transmitted to the target mode without requiring additional translation layers or exposing the kernel to user-mode vulnerabilities. The system is designed to be flexible, allowing either mode to initiate communication while maintaining strict separation of privileges.
18. The one or more non-transitory computer-readable media of claim 17 , wherein: opening the communications port further comprises returning a port handle for the communications port; and sending the message is based at least in part on the port handle.
This invention relates to computer systems and methods for managing communications ports in a computing environment. The problem addressed is the need for efficient and secure handling of communications ports, particularly in systems where multiple processes or applications may require access to the same port. The invention provides a solution by enabling controlled access to communications ports through the use of port handles, which serve as identifiers for opened ports. The system involves one or more non-transitory computer-readable media storing instructions that, when executed, perform operations for managing communications ports. These operations include opening a communications port, which involves returning a port handle for the port. The port handle is then used as a reference when sending messages through the port. This approach ensures that messages are directed to the correct port and that access to the port is managed in a controlled manner. The use of port handles allows for secure and efficient communication, preventing unauthorized access and ensuring that messages are properly routed. The invention may also include additional features, such as validating the port handle before sending a message to ensure that the handle is valid and that the port is accessible. This further enhances security and reliability in the communication process. The system is designed to work in various computing environments, including those where multiple applications or processes may need to interact with the same port. By using port handles, the system provides a structured and secure way to manage communications, improving overall system performance and security.
19. The one or more non-transitory computer-readable media of claim 17 , wherein opening the communications port further comprises assigning a port identifier to the communications port that uniquely identifies the communications port by differentiating the communications port from other communications ports that have been opened on the computing device.
This invention relates to computer systems and network communications, specifically addressing the management of communications ports in computing devices. The problem solved involves ensuring unique identification of communications ports to prevent conflicts and enable proper routing of data. When a communications port is opened on a computing device, the system assigns a port identifier that uniquely distinguishes it from other open ports. This identifier ensures that data transmitted or received through the port is correctly routed and prevents collisions with other ports. The port identifier may be generated based on factors such as the port's purpose, the application using it, or a sequential numbering system. This solution enhances network reliability and security by avoiding port conflicts and ensuring accurate data handling. The invention is particularly useful in environments where multiple applications or services require simultaneous network access, such as servers, cloud computing platforms, or embedded systems. By dynamically assigning unique identifiers, the system optimizes resource allocation and simplifies port management.
20. The one or more non-transitory computer-readable media of claim 17 , wherein the symmetric bridge component comprises at least one common application programming interface (API) for communication of the data between the kernel mode and the user mode in both directions.
This invention relates to a system for facilitating secure and efficient data communication between kernel mode and user mode in a computing environment. The problem addressed is the complexity and potential security risks associated with traditional methods of interoperability between these two operating system layers, which often require multiple interfaces or custom solutions. The system includes a symmetric bridge component that enables bidirectional data exchange between kernel mode and user mode. This bridge component features at least one common application programming interface (API) that standardizes communication, reducing the need for multiple, potentially incompatible interfaces. The API ensures consistent and secure data transfer, minimizing the risk of errors or vulnerabilities that can arise from ad-hoc or proprietary communication methods. By providing a unified interface, the system simplifies development and maintenance while enhancing security and performance. The symmetric bridge component operates by translating data between the kernel and user modes, ensuring compatibility and integrity. The common API allows developers to interact with both modes using a single, well-defined interface, streamlining the development process. This approach improves efficiency, reduces complexity, and enhances the reliability of applications that require interaction between these operating system layers. The system is particularly useful in environments where secure and seamless communication between kernel and user modes is critical, such as in operating systems, drivers, or security applications.
21. The one or more non-transitory computer-readable media of claim 17 , wherein the communications port is set to a waiting state in response to activation of the function by the first bridge component and until the second bridge component activates the function.
This invention relates to a system for managing communications between components in a computing environment, particularly addressing the challenge of coordinating data transfer between bridge components that facilitate communication across different protocols or domains. The system includes a communications port that can be dynamically controlled to manage data flow between a first bridge component and a second bridge component. The communications port is configured to enter a waiting state when the first bridge component activates a specific function, preventing data transfer until the second bridge component also activates the same function. This ensures synchronized activation of the function across both bridge components before data transmission resumes, preventing data loss or corruption during transitions. The system may also include a controller that monitors the activation status of the function in both bridge components and adjusts the communications port state accordingly. The waiting state is maintained until both components confirm activation, at which point the port transitions to an active state, allowing data to flow between them. This approach is particularly useful in environments where bridge components operate asynchronously or where strict synchronization is required for reliable data transfer.
Unknown
August 20, 2019
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.